| Lucjan Bryndza | a6b7f87 | 2019-09-25 11:51:08 +0000 | [diff] [blame] | 1 | apiVersion: v1 |
| 2 | kind: Namespace |
| 3 | metadata: |
| 4 | name: ingress-nginx |
| 5 | labels: |
| 6 | app.kubernetes.io/name: ingress-nginx |
| 7 | app.kubernetes.io/part-of: ingress-nginx |
| 8 | |
| 9 | --- |
| 10 | |
| 11 | kind: ConfigMap |
| 12 | apiVersion: v1 |
| 13 | metadata: |
| 14 | name: nginx-configuration |
| 15 | namespace: ingress-nginx |
| 16 | labels: |
| 17 | app.kubernetes.io/name: ingress-nginx |
| 18 | app.kubernetes.io/part-of: ingress-nginx |
| 19 | |
| 20 | --- |
| 21 | kind: ConfigMap |
| 22 | apiVersion: v1 |
| 23 | metadata: |
| 24 | name: tcp-services |
| 25 | namespace: ingress-nginx |
| 26 | labels: |
| 27 | app.kubernetes.io/name: ingress-nginx |
| 28 | app.kubernetes.io/part-of: ingress-nginx |
| 29 | |
| 30 | --- |
| 31 | kind: ConfigMap |
| 32 | apiVersion: v1 |
| 33 | metadata: |
| 34 | name: udp-services |
| 35 | namespace: ingress-nginx |
| 36 | labels: |
| 37 | app.kubernetes.io/name: ingress-nginx |
| 38 | app.kubernetes.io/part-of: ingress-nginx |
| 39 | |
| 40 | --- |
| 41 | apiVersion: v1 |
| 42 | kind: ServiceAccount |
| 43 | metadata: |
| 44 | name: nginx-ingress-serviceaccount |
| 45 | namespace: ingress-nginx |
| 46 | labels: |
| 47 | app.kubernetes.io/name: ingress-nginx |
| 48 | app.kubernetes.io/part-of: ingress-nginx |
| 49 | |
| 50 | --- |
| 51 | apiVersion: rbac.authorization.k8s.io/v1beta1 |
| 52 | kind: ClusterRole |
| 53 | metadata: |
| 54 | name: nginx-ingress-clusterrole |
| 55 | labels: |
| 56 | app.kubernetes.io/name: ingress-nginx |
| 57 | app.kubernetes.io/part-of: ingress-nginx |
| 58 | rules: |
| 59 | - apiGroups: |
| 60 | - "" |
| 61 | resources: |
| 62 | - configmaps |
| 63 | - endpoints |
| 64 | - nodes |
| 65 | - pods |
| 66 | - secrets |
| 67 | verbs: |
| 68 | - list |
| 69 | - watch |
| 70 | - apiGroups: |
| 71 | - "" |
| 72 | resources: |
| 73 | - nodes |
| 74 | verbs: |
| 75 | - get |
| 76 | - apiGroups: |
| 77 | - "" |
| 78 | resources: |
| 79 | - services |
| 80 | verbs: |
| 81 | - get |
| 82 | - list |
| 83 | - watch |
| 84 | - apiGroups: |
| 85 | - "" |
| 86 | resources: |
| 87 | - events |
| 88 | verbs: |
| 89 | - create |
| 90 | - patch |
| 91 | - apiGroups: |
| 92 | - "extensions" |
| 93 | - "networking.k8s.io" |
| 94 | resources: |
| 95 | - ingresses |
| 96 | verbs: |
| 97 | - get |
| 98 | - list |
| 99 | - watch |
| 100 | - apiGroups: |
| 101 | - "extensions" |
| 102 | - "networking.k8s.io" |
| 103 | resources: |
| 104 | - ingresses/status |
| 105 | verbs: |
| 106 | - update |
| 107 | |
| 108 | --- |
| 109 | apiVersion: rbac.authorization.k8s.io/v1beta1 |
| 110 | kind: Role |
| 111 | metadata: |
| 112 | name: nginx-ingress-role |
| 113 | namespace: ingress-nginx |
| 114 | labels: |
| 115 | app.kubernetes.io/name: ingress-nginx |
| 116 | app.kubernetes.io/part-of: ingress-nginx |
| 117 | rules: |
| 118 | - apiGroups: |
| 119 | - "" |
| 120 | resources: |
| 121 | - configmaps |
| 122 | - pods |
| 123 | - secrets |
| 124 | - namespaces |
| 125 | verbs: |
| 126 | - get |
| 127 | - apiGroups: |
| 128 | - "" |
| 129 | resources: |
| 130 | - configmaps |
| 131 | resourceNames: |
| 132 | # Defaults to "<election-id>-<ingress-class>" |
| 133 | # Here: "<ingress-controller-leader>-<nginx>" |
| 134 | # This has to be adapted if you change either parameter |
| 135 | # when launching the nginx-ingress-controller. |
| 136 | - "ingress-controller-leader-nginx" |
| 137 | verbs: |
| 138 | - get |
| 139 | - update |
| 140 | - apiGroups: |
| 141 | - "" |
| 142 | resources: |
| 143 | - configmaps |
| 144 | verbs: |
| 145 | - create |
| 146 | - apiGroups: |
| 147 | - "" |
| 148 | resources: |
| 149 | - endpoints |
| 150 | verbs: |
| 151 | - get |
| 152 | |
| 153 | --- |
| 154 | apiVersion: rbac.authorization.k8s.io/v1beta1 |
| 155 | kind: RoleBinding |
| 156 | metadata: |
| 157 | name: nginx-ingress-role-nisa-binding |
| 158 | namespace: ingress-nginx |
| 159 | labels: |
| 160 | app.kubernetes.io/name: ingress-nginx |
| 161 | app.kubernetes.io/part-of: ingress-nginx |
| 162 | roleRef: |
| 163 | apiGroup: rbac.authorization.k8s.io |
| 164 | kind: Role |
| 165 | name: nginx-ingress-role |
| 166 | subjects: |
| 167 | - kind: ServiceAccount |
| 168 | name: nginx-ingress-serviceaccount |
| 169 | namespace: ingress-nginx |
| 170 | |
| 171 | --- |
| 172 | apiVersion: rbac.authorization.k8s.io/v1beta1 |
| 173 | kind: ClusterRoleBinding |
| 174 | metadata: |
| 175 | name: nginx-ingress-clusterrole-nisa-binding |
| 176 | labels: |
| 177 | app.kubernetes.io/name: ingress-nginx |
| 178 | app.kubernetes.io/part-of: ingress-nginx |
| 179 | roleRef: |
| 180 | apiGroup: rbac.authorization.k8s.io |
| 181 | kind: ClusterRole |
| 182 | name: nginx-ingress-clusterrole |
| 183 | subjects: |
| 184 | - kind: ServiceAccount |
| 185 | name: nginx-ingress-serviceaccount |
| 186 | namespace: ingress-nginx |
| 187 | |
| 188 | --- |
| 189 | |
| 190 | apiVersion: apps/v1 |
| 191 | kind: Deployment |
| 192 | metadata: |
| 193 | name: nginx-ingress-controller |
| 194 | namespace: ingress-nginx |
| 195 | labels: |
| 196 | app.kubernetes.io/name: ingress-nginx |
| 197 | app.kubernetes.io/part-of: ingress-nginx |
| 198 | spec: |
| 199 | replicas: 1 |
| 200 | selector: |
| 201 | matchLabels: |
| 202 | app.kubernetes.io/name: ingress-nginx |
| 203 | app.kubernetes.io/part-of: ingress-nginx |
| 204 | template: |
| 205 | metadata: |
| 206 | labels: |
| 207 | app.kubernetes.io/name: ingress-nginx |
| 208 | app.kubernetes.io/part-of: ingress-nginx |
| 209 | annotations: |
| 210 | prometheus.io/port: "10254" |
| 211 | prometheus.io/scrape: "true" |
| 212 | spec: |
| 213 | serviceAccountName: nginx-ingress-serviceaccount |
| 214 | containers: |
| 215 | - name: nginx-ingress-controller |
| 216 | image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.25.1 |
| 217 | args: |
| 218 | - /nginx-ingress-controller |
| 219 | - --configmap=$(POD_NAMESPACE)/nginx-configuration |
| 220 | - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services |
| 221 | - --udp-services-configmap=$(POD_NAMESPACE)/udp-services |
| 222 | - --publish-service=$(POD_NAMESPACE)/ingress-nginx |
| 223 | - --annotations-prefix=nginx.ingress.kubernetes.io |
| 224 | - --enable-ssl-passthrough=true |
| 225 | securityContext: |
| 226 | allowPrivilegeEscalation: true |
| 227 | capabilities: |
| 228 | drop: |
| 229 | - ALL |
| 230 | add: |
| 231 | - NET_BIND_SERVICE |
| 232 | # www-data -> 33 |
| 233 | runAsUser: 33 |
| 234 | env: |
| 235 | - name: POD_NAME |
| 236 | valueFrom: |
| 237 | fieldRef: |
| 238 | fieldPath: metadata.name |
| 239 | - name: POD_NAMESPACE |
| 240 | valueFrom: |
| 241 | fieldRef: |
| 242 | fieldPath: metadata.namespace |
| 243 | ports: |
| 244 | - name: http |
| 245 | containerPort: 80 |
| 246 | - name: https |
| 247 | containerPort: 443 |
| 248 | livenessProbe: |
| 249 | failureThreshold: 3 |
| 250 | httpGet: |
| 251 | path: /healthz |
| 252 | port: 10254 |
| 253 | scheme: HTTP |
| 254 | initialDelaySeconds: 10 |
| 255 | periodSeconds: 10 |
| 256 | successThreshold: 1 |
| 257 | timeoutSeconds: 10 |
| 258 | readinessProbe: |
| 259 | failureThreshold: 3 |
| 260 | httpGet: |
| 261 | path: /healthz |
| 262 | port: 10254 |
| 263 | scheme: HTTP |
| 264 | periodSeconds: 10 |
| 265 | successThreshold: 1 |
| 266 | timeoutSeconds: 10 |
| 267 | |
| 268 | --- |
| 269 | kind: Service |
| 270 | apiVersion: v1 |
| 271 | metadata: |
| 272 | name: ingress-nginx |
| 273 | namespace: ingress-nginx |
| 274 | labels: |
| 275 | app.kubernetes.io/name: ingress-nginx |
| 276 | app.kubernetes.io/part-of: ingress-nginx |
| 277 | spec: |
| 278 | externalTrafficPolicy: Local |
| 279 | type: LoadBalancer |
| 280 | selector: |
| 281 | app.kubernetes.io/name: ingress-nginx |
| 282 | app.kubernetes.io/part-of: ingress-nginx |
| 283 | ports: |
| 284 | - name: http |
| 285 | port: 80 |
| 286 | targetPort: http |
| 287 | - name: https |
| 288 | port: 443 |
| 289 | targetPort: https |
| 290 | |
| 291 | --- |
| 292 | |
| 293 | apiVersion: v1 |
| 294 | kind: Service |
| 295 | metadata: |
| 296 | name: ingress-nginx |
| 297 | namespace: ingress-nginx |
| 298 | labels: |
| 299 | app.kubernetes.io/name: ingress-nginx |
| 300 | app.kubernetes.io/part-of: ingress-nginx |
| 301 | spec: |
| 302 | type: NodePort |
| 303 | ports: |
| 304 | - name: http |
| 305 | port: 80 |
| 306 | targetPort: 80 |
| 307 | protocol: TCP |
| 308 | - name: https |
| 309 | port: 443 |
| 310 | targetPort: 443 |
| 311 | protocol: TCP |
| 312 | selector: |
| 313 | app.kubernetes.io/name: ingress-nginx |
| 314 | app.kubernetes.io/part-of: ingress-nginx |
| 315 | |
| 316 | --- |
| 317 | |